On Thursday, July 10, 2003, at 12:35 PM, Paul Hoffman / IMC wrote:
(Of course, watching the outgoing mail would make this attack easier too. :-) )
of course, if they're sniffing packets or otherwise intercepting content, the only thing that'll stop it is a phone call... carrier pigeon, maybe.
My worry, of course, is that the e-mail community has had a tendency to see mail-back validation as the solution to many problems (and it is, just not as globally as some might hope) --- but I don't think the community has ever stopped to make sure those techniques were really secure in a formal way, or defined what it takes to be secure. the existance has been enough...
(but then, there are all sorts of attack vectors in mail lists that haven't been properly addressed. If I want to mailbomb your inbox into a cinder, does it matter whether I subscribe you 50 busy mail lists, or simply shove 1,500 "if you want to confirm your subscription..." replies in via a forged address? Most servers will happily keep resending confirmations without rate limiting, so you don't even need to find 1500 lists... Ditto help and info messages, postmaster auto-bots, etc, etc... )
_______________________________________________ Mailman-Developers mailing list [EMAIL PROTECTED] http://mail.python.org/mailman/listinfo/mailman-developers
